If your business is involved in an information breach, you are not generally required to offer credit services to your customers. However, many organizations do, offering services such as credit reporting, credit monitoring, identity theft insurance, and identity restoration services.
Recognize that many data breaches do not actually involve risk to the consumer’s credit. Offering such services do not protect your customer from any harm that might result from the breach. What’s more, some courts have ruled that in offering credit-related services you are acknowledging the customers’ credit is at risk.
When offering mitigation services, there are several factors to consider. First, determine whether the services are a good fit for the actual data breach that occurred. For example, a breach that involves a consumer name and credit card number could lead to unauthorized charges on the credit card, but would not yield sufficient information to open a new credit account.
If you do choose to offer credit monitoring or other related services, screen potential vendors carefully. Get a copy of all enrollment materials, marketing materials, and contracts that will be provided to your customers.
Determine whether the service provider is going to try to upsell your customers a more comprehensive product. Find out if the service provider will allow others to cross-sell products to customers who enroll in the service.
In either case, your customers may feel that they were not actually given a valuable service but rather targeted with additional sales from a third party. As a result, they may feel their privacy has been further violated.
Several credit monitoring services have been investigated by the FTC for unfair or deceptive practices. No matter how well you believe you’ve vetted your chosen vendor, ensure you will get adequate indemnification if the information you provide to the service provider is breached. Likewise, secure indemnification in cases in which the service provider is negligent in their monitoring services.
It’s best to involve legal counsel as soon as you become aware of a data breach. Counsel can help you determine the best way to proceed with an investigation and notification efforts. State and federal laws may require you to notify consumers or the media within a certain time after discovering a breach.